Re: working for wheezy-security until wheezy-lts starts
On 2016-03-01, Mike Gabriel <sunweaver@debian.org> wrote:
> @Security Team: Shall we (LTS contributors) handle wheezy-security
> updates like described below until Debian wheezy LTS comes into play?
>
> o Pick a package that has open CVE issues in wheezy, e.g. from
> above list
> o Add the package to data/dsa-needed.txt, if not already there:
> - packages with issues to be solved in wheezy only, should be
> suffixed with "/oldstable" (i.e., gosa/oldstable)
> - packages with issues in jessie and wheezy, should probably
> just be added by the package name (without suffix), right?
>
> From then on, the workflow can be the same workflow as used for
> normal security updates (as already described earlier in this
> thread):
>
> o Fix the issue in the package (grab the current package from
> oldstable's archive).
> o Test your fixes.
> o Provide a .debdiff to
> team@security.debian.org and to the
> Debian bug, if any related bug exists.
>
> o Wait for feedback from the release team on how to proceed.
>
> o As a courtesy, you could check the same package in jessie and
> see if the fix for oldstable is easily forward-portable. Thus,
> maybe providing a jessie-security .debdiff for the package can
> be an option.
>
> The removal of the entry placed into data/dsa-needed.txt should then
> be handled by the Security Team, once the fixed package version has
> been uploaded. More Feedback? Mike
Looking good to me; we can refine the process incrementally, if need
be.
Thanks a lot for the help,
--Seb
Reply to: